I have issues with a Win2K(SP1) DC(with DNS) that has ISA installed. Btw, this is a test box only. The production ISA will not be a DC

1) The external NIC of the ISA box is configured via DHCP and only has TCP/IP bound to the adapter (no Cli for MS,F&P sharing, or NetBIOS)

2) The internal NIC of the ISA box is configured with a static IP. It does not have a default gateway, but does have a DNS address (loopback IP)

3) I have configured a protocol rule allowing all IP traffic always to all users.

4) I have configured packet filters to allow all traffic both directions (i.e. wide open)

5) I have verified the default site and content rule exists.

6) The ISA server will be a VPN server too, so I ran the client VPN wizard. I ensured the appropriate packet filters were created.

Web proxy (settings in IE) and S-NAT (with def gateway) clients work just fine under this configuration.

Not a single protocol works for firewall clients.

6) After reading newsgroups and this board, I modified the configuration of the HTTP redirector to send requests directly to the web server and not to the proxy server.

At this point, HTTP,HTTPs, FTP work fine. However, I still cannot get protocols such as PPTP, ICMP, napster, gnutella, etc.. to work.

My firewall clients do not have a default gateway defined and do not have the automatic discovery of ISA server on(this seems to kill any chance of communicate with the ISA).

I want to be able to provide access for all protocols, but I want to be able to control by access by users and groups. The MS literature indicates that the firewall client is neccessary for this functionality.

Is this an issue with the firewall client config?

Could somebody provide some insight into my problem? Please let me know if additional information is neccessary....

Btw, thumbs up on a great ISA server site.

Thanks,
richard

Lot's of problems. My pea brain can't handle of all them at once, but I can help you with one of them.

To allow the Firewall Clients to use outbound PPTP and ICMP, you must enable IP Routing on the ISA Server and make the machines SecureNAT as well as Firewall Clients.

HTH<
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here

Thanks for the quick reply.

Basically, I guess my question could be summed up:

How does one configure (or is it possible to configure) the firewall client to allow all Winsock applications to pass through the ISA server without creating individual application entries in the MSPCLNT.INI or separate WSPCFG.INI's?

TIA,
richard

TJ

quote:

---

Originally posted by problem_child:
Tom,

Thanks for the quick reply.

Basically, I guess my question could be summed up:

How does one configure (or is it possible to configure) the firewall client to allow all Winsock applications to pass through the ISA server without creating individual application entries in the MSPCLNT.INI or separate WSPCFG.INI's?

TIA,
richard

---

Hi Richard,

Dude! You've got to buy my book! It explains everything you ever wanted to know (well, almost) about the Firewall client and how to make it do what you want it to do.

The Firewall Client is smart, but you still may have to create Protocol Definitions and Protocol Rules to allow outbound access. There should not be a need to create custom .ini files for each network applications, but you do need Protocol Defintiions and Rules to support the applications you wish to use.

Check this site, or the section in our book, about how to set up Napster. For other things like Gnutella, it becomes a game of cat and mouse in terms of finding what protocols are used so that you can create the appropriate rules.

But post you questions to this site. There are a *lot* of really smart guys on these boards who can usually come up with an answer to these sorts of questions.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here